WordPress puts food on my table.

CSRF Slides

Jeremiah Grossman posted some good slides about the issue of Cross-Site Request Forgeries (CSRF). We tackled this security issue in WordPress two years ago. I wrote an article about the issue that still holds true (plugin authors should definitely give it a read if any of this sounds unfamiliar). Our method is the token method, with fallback to a slightly modified version of the Are You Sure? method for plugins that haven’t properly implemented the token method. It was a large effort to implement it, but it has paid off handsomely. CSRF is largely a non-issue in WordPress, which means we can focus our efforts on XSS and SQL injection vectors.

Jacob, in theory, yes. But with CSRF there was a concerted effort to “nonce” all the forms. There are many more SQL injection and XSS “points of attack” than there are forms to attack with CSRF, and all it takes is missing one. I’m hoping the prepare stuff will help, but it hasn’t yet been fully implemented (getting there for 2.6, though!) We also need to have more eyes on new code, checking them to make sure they’re using our security/escaping/sanitization functions.

Ask a WordPress Dev

Do you have an interesting WordPress-related question? Submit your questions, and I'll periodically pick the best one and answer it here on my blog! It can be anything from usage tips to hardcore WP development questions.